The Pros of Attending Cons: Why Conferences Offer the Best Security Education Opportunities
Hacker Summer Camp 2016 has come and gone. I have the badges to prove it. (I also have an average daily mileage count of 13 and blisters to prove it.) Hacker Summer Camp is a good as it gets, with 20,000-plus of my closest computer security professional friends in the confines of a Las Vegas hotel. By no means is it cheap, but the security education benefits far outweigh the costs.
To be clear, these are not the only conferences around. Other cons may not get the same level of notoriety as Black Hat or DEF CON, but they are still valuable for a variety of reasons.
The Pros of Attending Cons
As a professional in the community, attending a conference is paramount. Employers certainly see the benefit of encouraging employees to attend conferences throughout the year. There is no con, so to speak, in attending a con.
The first and most important benefit of attending conferences is the opportunity to network. You can’t put a price tag on it — it’s all about relationships. While we as a practicing group (DEFENDER/BLUETEAM) don’t talk to each other enough, attackers do. I spoke at a small conference a few weeks ago and found out that loss prevention teams hold meetings to discuss the how, what and where of shoplifters’ activities. They also work with competitors and police to stop retail theft, including point-of-sale (POS) and ATM thefts.
I asked about the network security teams and found that they do not participate. It seems like a half-baked idea to share theft analytics but not IT-related issues regarding attacks and defense strategies. Sharing information and knowledge strengthens the community as a whole.
Security education is the second benefit. Most security certifications require some kind of continuing education, and one conference can often cover the security education requirement for the year. Some presenters are actual instructors, while others are engineers or security practitioners. Nearly all have real-world experience in the security field, which is more valuable than dry information from a book.
Again, if we BLUETEAM folks were getting better at our jobs, attack surfaces would be getting smaller and the number of high-profile attacks and vulnerability disclosures would shrink proportionally. Unfortunately, that is not the case.
Another benefit is community outreach. We are all professionals, though we may not always act like it. This community is built on mentorships, which often form at conferences and networking events. All conferences offer opportunities to be mentored or become a mentor — sometimes both. Smaller cons provide attendees a better chance to interact with speakers, while larger events offer opportunities to meet mentors from the within the crowd.
Conferences for All Budgets and Experience Levels
Despite the many benefits of attending security conferences, the costs can seem prohibitive. A ticket to Black Hat, for example, costs a few thousand dollars, while DEF CON is priced somewhere around $250. Combined with the costs of airfare, lodging, food and time missed from work, the bill adds up.
But Black Hat and DEF CON are not the only two games in town. BSides are amazing small-money conferences — some are even free or offer opportunities to volunteer in exchange for a ticket. Many are within a two-hour drive from major cities.
The RSA Conference is vendor-heavy, as is Black Hat. These conferences offer face time with the vendors of your choice. Sometimes you can even score face time with technical experts.
DerbyCon is the largest security conference in the Southern U.S. ToorCon and ShmooCon are also incredible conferences to attend, along with CanSecWest and SecTor. You could attend all the conferences mentioned above, but that would be ill-advised even for seasoned security professionals. Neither your wallet nor your liver could take it.
No matter the conference, and no matter its size, we were all con newbies once. You don’t need to be a cybersecurity expert to attend as long as you’re willing to learn. If you don’t know anybody, you are guaranteed to make new friends before you leave. All you have to do is say hello. DEF CON even has a 101 talk just for first-year attendees.
I volunteer. I give back. I am a red-shirt security goon at DEF CON. For me, it is a chance to work with the mentors who taught me throughout my career. and to interact with some of the brightest minds in the profession. It is also a chance for me to mentor those in attendance and fellow goons. Volunteering for a conference is a huge commitment, but it allows me to keep my focus our industry. It’s part of my professional development.
I also use it as a watermark for conducting job interviews. I want to see how serious you are about the cybersecurity community. It’s not a deal breaker if a candidate does not attend security conferences, but one who is plugged into that community certainly has a leg up. Plus, you can learn a lot about a person by which conferences he or she attends.
That’s a valuable lesson — and one that I learned at a security conference.